How to Avoid Cybersecurity Breaches

Podcast: Play in new window | Download

Subscribe: RSS

In this episode, Barbara and Kevin discuss:
*Why you should gain help in setting up a cyber security?
*How can a medical practice market its cybersecurity capabilities and use them as a competitive advantage?
*What steps  small businesses should take to ensure it is protecting sensitive data and meeting compliance requirements?

Key Takeaways:
“Encryption is the only safe harbor for a data breach. Everybody should write that down.” – Kevin Fream

Connect with Kevin Fream:
Website: https://www.matrixforce.com/
LinkedIn: https://www.linkedin.com/in/kevinfream/
Instagram:
YouTube: https://www.youtube.com/user/kevinfream
Twitter: https://twitter.com/kevinfream?lang=en

Connect with Barbara Hales:

Twitter:   https://twitter.com/DrBarbaraHales
Facebook:   https/www.facebook.com/theMedicalStrategist
Business Website: https://www.TheMedicalStrategist.com
Email:   halesgangb@aol.com

YouTube: https://www.Youtube.com/TheMedicalStrategist
LinkedIn: https://www.linkedin.com/in/barbarahales

Books:
Content Copy Made Easy
14 Tactics to Triple Sales
Power to the Patient: The Medical Strategist

 

TRANSCRIPTION (154)

Dr. Barbara Hales 00:00
Well, welcome to another episode of marketing tips for doctors.

I’m your host, Dr. Barbara’s house. And today we have with us, Kevin Fream. He’s an interesting guy who states most people don’t understand the game they’re playing and get frustrated in business, cyberspace, and life. He says “I help you streamline your technology and have greater peace of mind. And let’s face it, that’s something we could all use.”

Kevin Frame is CEO of Matrix Force and creator of the patent-pending delta method, saving clients billions with eBay. He is the author of the number one bestselling book, Easy Prey, Streamlining Technology, and Changing Your Game, along with featuring a featured speaker at Harvard, NASDAQ, Coca-Cola, and Microsoft. Kevin also appears frequently on ABC, NBC, CBS, and Fox News and on an ongoing nationwide tour to warn the public about the perils of cybercrime, and ransomware.

Most business owners are just trying to go the distance, but they have IT support motivated to work against them.  That’s why Kevin enjoys working with business leaders who understand cybersecurity can be a competitive advantage. We are most fortunate to have Kevin with us today. Welcome to the show, Kevin.

Kevin Fream 01:50
Barbara, thank you so much. You know, that’s really humbling coming from a poor handicap kid in rural Oklahoma. But this is such an important topic for your audience that I really do believe cybersecurity should be part of your competitive advantage and be used as part of your marketing, especially in medicine.

Dr. Barbara Hales 02:13
Now, nobody says when they’re little children, I”‘m going to grow up to do cybersecurity”. So how did this happen?

Kevin’s Cyber Security Journey

Kevin Fream 02:26
Well, I had really poor vision and had coke bottle glasses, and, you know, a huge overbite, and I was one of the really special 5% that was born without all my fingers. So, one of the things that my parents did is say, well, our son’s not gonna be left behind. And they gave me all kinds of things to read and to look at. And one of those was, you know, some first gaming systems and the very first computers, and I really love strategy. I love creating things. And, you know, that was something where you really didn’t have to look like everybody else to be really successful on the computer. And, you know, the rest is history.

Dr. Barbara Hales 03:22
Yeah, look at you handsome devil now.

Kevin Fream 03:28
Well, that’s been a long story as well, you know, tons of glasses, and then you know, contacts and then even laser eye surgery. And two years ago, I had a full facial reconstructive surgery with double jaw surgery. And so quite literally, I died to get this face. I went in for the surgery, and they did have to revive me. It was, you know, a four-hour surgery. And then I had eight weeks on a liquid diet, or I had to get any sustenance through a syringe and couldn’t blow my nose. So, it’s, it really made me a change expert. And, of course, that’s my new number-one bestselling book has changed your game. One of the things I do around help people, like your audience, pick those examples and experiences and utilize them in their own lives.

Fighting Ransomware

Dr. Barbara Hales 04:33
You know, several years ago, there was something that came out called ransomware that nobody had ever heard of before, but it certainly made every hospital in the country and every healthcare professional shake in their boots when they were told that the computer information session was being stolen and that the only way to get it back would be to pay millions of dollars. And that essentially, it was being, you know, like hijacked and being held for ransom, which nobody had ever heard of before. And, you know, something that we all worry about now. So, if something like that were to happen, you know, I mean, like, especially for a hospital that has millions and millions of charts, do you recommend that they pay the perpetrator? Or do you recommend that they steal them while they try to do something? I mean, what is the approach that you recommend?

Kevin Fream 05:53
Well, you have to be ready for it. And you’re exactly right. Still the day a lot of people don’t know what ransomware is. And I like to say it’s the worst thing that can happen to you on the computer; basically, bad guys encrypt all of your files, so the computer won’t be started up, right, and you have no access to your data. So basically, you’re dead in the water no internet, no email, no data whatsoever. And what you have to do is you have actually to disconnect from the internet. And then you have to look at your options. And really, your only option is to quickly eradicate things.

So, you’d have to format everything and then restore and restore from backup. And that’s, you know, that’s a really painful process. If you do have a backup, you still lose all that time. And in Oklahoma, where I’m from, in 2016, it was really common for over 1000 companies to be infected with ransomware every month, and that was about average across the nation. And that’s where I said, wait a minute, I can’t be doing this, we could get people up and running. But they would lose two weeks, and we would lose a massive amount of time and lose ourselves. So, I got together with 20 other cybersecurity experts from all around the world. And we wrote easy prey. And that’s what really got me invited to Harvard and the NASDAQ and then going around and doing a ransomware quiz on national TV. And the short of it is No, you shouldn’t pay the ransom because you have little or no expectation of getting your data back. And even if you do pay the ransom, there’s no assurance that you’re actually going to get all your systems up.

Generally, if you do get a key from the bad guys, and you have no idea of when they’re going to come and give you the information, then if you get access to the systems, it’s usually a one-time shot because the first time you try to restart the systems, they usually won’t start up again, and then you’re back to the same place.

Dr. Barbara Hales 08:21
Did these guys ever get caught?

Kevin Fream 08:26
Very rarely, almost never. And that’s the other part of it is that it is paid in Bitcoin. So, you have to be prepared ahead of time with all the contingencies. And that’s what I like to, you know, get people in the position of is, do you have a ransomware drill that you run through? And here’s all the things that we do? Do you already have an incident response page on your website that’s already there? And all you have to do is upload a PDF, rather than having to think about all this kind of stuff, and who do I contact and who’s on the list and what’s the most important system, all that stuff should be covered in regular incident response that you can do ahead of time. And then you practice that.

If the worst happens, you’re ready. And you already have things in place and know what to do and you don’t get stuck having to pay the ransom. Because that’s the flip side, right, Barbara is generally if someone penetrates your system and axon, they’re there for more than 45 days. And the average actually in the industry is 123. And then all that time, they will usually go and manipulate your backup. So, it looks like it’s running but it’s not. And so, you really don’t have a backup and that’s why so many organizations get stuck because they don’t have any contingencies in place, or even gone to the next level. To be able to look out for the stuff. So, it’s a huge deal and continues to be.

Dr. Barbara Hales 10:05
So, if a group is fastidious about doing a backup every day, and the backup is not infected, can they be reassured that they can disengage from the bad guys and then just put back the backup that they had?

Kevin Fream 10:31
Oh, absolutely not, as we saw with the MGM breach earlier this year. And that’s a big point. Most people don’t know the difference between a breach and a hack. A breach is an unintended disclosure of confidential information. A hack is when a bad perpetrator actually takes advantage of the vulnerability and gets into his system with MGM, just like almost all breaches, because generally, everything is called a breach.

It was somebody who called the helpdesk and said they were a new exec with MGM. And I need an account setup. And people are people. All this makes common sense. And after you’ve heard it once, but to help desk operators set up an account for someone who didn’t know, who obviously just looked on LinkedIn and made up a LinkedIn profile. And from there, since I had an account, they could start off and get access to the systems and download their malicious code. They encrypted over 16 Major properties for MGM, and all the associated Bally’s, all of those associated casinos, and any subsidiaries, and they were there a long time. And they ended up having to pay the ransom. And that’s where none of your clients want to be.

Dr. Barbara Hales 12:07
Oh, I should think not. I mean, this is really, really scary stuff. So, do they hire you to come in and do a drill with them and a checklist? Or do you teach people how to avoid having ransomware attack your system as it works with you?

The Matrix Force

Kevin Fream 12:34
Exactly the difference that we come in with the delta method is we invert everything. And you take any kind of evidence and you prepare that right up front. So why not do a regular HIPAA risk exam, and then, just like some of the kids that you went to school with who did their homework but never turned it in?

Why don’t you take the next step and publish your executive summary of your HIPAA risk exam on your website, or even things like a HIPAA compliance form that says we do these top 10 things for HIPAA, and it’s signed off by the office administrator or the main doctor? And then, oh, by the way, we already have an incident response page if something happens here, and if something does happen, we’re going to upload a PDF of exactly what happened, but it explains what our process is for handling it. And then, if you do an actual drill, you’ll find lots of holes really quickly, and you have a work plan. And each year, you start eliminating some holes, and the first few years are some big ones. And then it gets less and less. Most medical practices don’t have any kind of alerting or management in place to even notice if something’s going wrong. So, there’s it by the time you wait for backup, it’s too late.

Dr. Barbara Hales 14:11
Yeah, absolutely not. And to tell you, as a patient, I would feel really very comfortable knowing that anything that was secure about my personal data was not going to be out there on the dark, dark web.

Dark Web

Kevin Fream 14:30
Wouldn’t that be great if you went to look up a doctor’s office or medical practice and not only did they do really good stuff with patients, but they also were in line with HIPAA and they had never been on the HIPAA wall of shame at the Office of Civil Rights that you can never get off of. And, and that’s the other thing is you can look up by state in C.

You can never get off that list. You can go back by time, and maybe time heals all wounds, maybe. But you could still be found out there. And the average HIPAA fine is $1.5 million average, even, even for small practices, and so it could break the bank. And, you know, a lot of doctors, I think, are a little bit naive in also don’t believe this happens. I don’t know if you get that feedback at all.

Dr. Barbara Hales 15:34
Well, you know, I’m sure that the whole idea that it was really just a foreign language—I don’t think that with all of the fears and worries that are going on a daily basis—the fears that you’re talking about really don’t even come into play.

Kevin Fream 15:56
Right, I get that as well. I have some doctors that look under the table and then look at me and go, Kevin, I don’t see any HIPAA police around here. Or whoever is not coming after me. And that’s, that’s when I have to explain is no, there, they’re not actually going to show up at your door and say we’re going to come in and do an audit, there’s going to be some kind of breach or some kind of complaint from a competitor or from a disgruntled patient. And do you know what, Barbara, do you know what a whistleblower gets for turning an organization into the Office of Civil Rights for HIPAA violation, take a guess?

Dr. Barbara Hales 16:42
1.5 million?

Kevin Fream 16:43
they get 25%. of whatever the fines are. So do you think in a disgruntled employee or disgruntled patient or, you know, a vendor working with you is, hey, you’re not doing general business practices for HIPAA? You? Do you think they would be kind of motivated to do that? It’s a huge deal. And, you know, even the flip side of that is, a lot of people will say, well, Barbara, I have cyber liability insurance.

Dr. Barbara Hales 17:25
I mean, do most doctors have that?

Null and Void Insurance

Kevin Fream 17:28
They’re starting to, and it’s the same thing. There’s no silver bullet. And what’s misunderstood is if you’re not doing the basics for HIPAA, then there’s a specific section that’s buried in all these policies that are client responsibilities there, you’re doing all these things. And they actually have a questionnaire that’s getting to be about 100 questions now, that’s really specific

Dr. Barbara Hales 17:56
If doctors go through that, then the insurance is null and void.

Kevin Fream 18:00
Exactly. Because you’re if you’re just going down the list and say yes, yes, yes, yes, yes. Then it’s fraud. Right. And and the flip side of that is, insurers, insurance companies, obviously don’t like to pay. And they’re coming to organizations like matrix horse and saying, can you run some external scans to see if they’re doing the minimal stuff that we’ve said on the questionnaire? And when people don’t, they’re denied getting insurance right up front? Or it’s three times the fee for the premium?

Dr. Barbara Hales 18:41
Do you have this checklist, or does this checklist vary depending on the insurance company?

Cyber Risk Prevention

Kevin Fream 18:47
On our website, we have cyber risk. If you go to matrix force.com/cyber risk, there’s an example traveler’s insurance questionnaire, for instance, that shows that. The reality is that part of what you’re required to do is have an annual vulnerability scan. That’s a small part of just having a risk exam. So, Barbara, as a former doctor, I bet you encourage your patients to have an annual physical.

Dr. Barbara Hales 19:21
Of course.

Kevin Fream 19:23
And as part of that, then you looked at the chart, and there were certain things that you had to explain that maybe I didn’t understand. This is the same kind of thing that doctors need to think about for their practice of only blue scans does just that. There are certain things that maybe you don’t want to eat all your vegetables or whatever the other things are, are there certain, certain things that this is the way we do business, I’m going to accept the risk well, at least you know, and that’s the whole thing around this and instead of just a cost of doing business, and here’s some report some more There, let’s actually use this to improve our practice.

Dr. Barbara Hales 20:05
Yeah, absolutely. So, this would be our final exam.

Kevin Fream 20:10
Exactly, exactly.

Dr. Barbara Hales 20:13
Yeah, certainly for marketing purposes, as we talked about before the show,certainly this would be great marketing, point to show on a website to say, as opposed to all of my competitors, we actually show that we are not only HIPAA compliant, but we are protected. And that your information is not going to be, you know, out there because we are not going to be breached.

Kevin Fream 20:53
Well, you can never say never, but you can definitely put your best foot forward and say, Hey, we’re doing all these things, and have it regularly. Check. And that’s, you know, even for cybersecurity, do you know how many cybersecurity firms actually publish their own third-party risk exams and third-party vulnerability scans and their own compliance forms? Almost none? And then how do you look them up at Microsoft, or wherever they’re at? Less than less than 3% of our industry is vetted.

But HIPAA has been around since 2013. Why doesn’t every medical practice have things like that? Here’s our executive summary of our risk. Here’s a summary of the vulnerability scan. Here’s a link to our vetted it support that does the same thing. Out of all of the HIPAA violations on the 8020 rule, 80% are not covered entities, they’re not a medical practice, it is their electronic medical records platform, or it is their IT vendor that’s not vetted since 97% of them aren’t. And not a they are not according to the IRS and the FTC, only 3% of IT firms in the US are vetted by government and industry authorities. Wow. So, it’s not only if you’re a doctor, it’s not only your medical practice, it’s all your business associates that you are responsible for. And if you’re not doing your risk exam and asking, asking business associates, where’s your where’s your risk exam? And where’s your business compliance form? Then you’re violating a, a big part of HIPAA, and you’re responsible for knowing that.

Electronic Health Record System

Dr. Barbara Hales 22:54
So, when you are shopping around for the best electronic health record system for your practice, you should be saying to them, are you vetted by the government?

Kevin Fream 23:10
You should be saying there are two things. It used to be in the old days, you know, oh, do you have a business associates’ agreement? And people will say, Oh, yeah, yeah, yeah. And it’s like, no, today, you need to have evidence, and that evidence is you have a third party that does a risk exam. And they should be able to provide an executive version of that.

So, there’s not a lot of privacy details in it. And then secondly, they there, there is a HIPAA compliance form to fill out, like I mentioned before, that the top 10 things of yes, we do data breach training. And yes, we do, you know, have these policies and procedures. And, yes, we do a disaster drill, all those kinds of things, those 10, top 10 A, an officer in that organization signs off on that, and puts their money where their mouth is. Because otherwise, the practice is totally liable. If the practice is doing what it’s saying. And there’s fraud from a business associate, or if they’re not doing what they’re saying, then guess who’s going to bear the brunt of the fine, it’s going to be the business associate. And you have some capability for the practice, then to recoup some of their loss.

Dr. Barbara Hales 24:32
Scary stuff. So, let’s say as a doctor, I am your client. Do you come to my premises or do you just scan everything virtually?

Kevin Fream 24:47
No, it’s twofold. We do an onsite analysis and then create a system plan from that and then we have a risk exam that we run through that questionnaire and we help and develop the evidence for those. And then thirdly, we do a vulnerability scan and go over all that with you. And you come out with those really five deliverables, you end up with a risk exam, the executive summary, the business clients form, your top 10 policies and procedures, you got a system plan now, so you’re independent of it, and you have a work plan for next year.

Computer Hardware

Dr. Barbara Hales 25:26
Okay, which is all great. But the next question I have for you is that, well, the computer hardware is not only generated from the office itself, we have hookups from hospitals and laboratories. Do you check those out as well? Or do you recommend that we don’t connect with them? I mean, how do we handle that?

Kevin Fream 26:00
In the old days, and people still think this way, I used to have to send the team and special pieces of equipment and ask for all kinds of accounts and authorization and credentials. And then we’ll take a week or so to run. And we’d be disrupting the practice and then come back and have the results in a couple of weeks. The technology today is literally that I can send an email to three or four people in your organization; it will scan external, as well as internal, of your network and tell you the vulnerabilities in your cloud, in your remote, and in your office all at the same time. And it gives you an idea, it starts answering those questions of maybe we shouldn’t be connecting some of these things remotely, or these are some things we need to turn off.

Dr. Barbara Hales 26:50
So, is it possible to just connect to get lab results and then when we’re not actually searching for lab results to keep it disconnected?

Kevin Fream 27:03
Correct. Everything today encryption is the only safe harbor for a data breach. Everybody should write that down. And you should have an encrypted connection to everything you do through a VPN. And then yes, when you’re disconnected, there shouldn’t be any kind of attack plane for that, and actually should actually be blocked.

Dr. Barbara Hales 27:33
And to you also set up encryption for our cell phones for text messages, as well.

Kevin Fream 27:43
Its insurance companies will ask you, that’ll be one of the big questions is do you have encryption? And people will say, well, I think so. I think Microsoft has it. And they’ll say yes, they are talking about E to have encryption on any servers and the workstations, and any of your smartphone devices or tablets. And any systems that you connect with. Oh, send that’s hard. That’s hard. What’s that?

Dr. Barbara Hales 28:15
So, it’s automatic now for the for the iPhone?

Kevin Fream 28:19
it is automatic; you need to have software that actually can prove that and show that the setting was in place. Just like Windows BitLocker is included. Very few people turn that on, or and they don’t have a system that shows that yeah, here’s a list of machines, and all these drives are encrypted, you have to have all of that.

Dr. Barbara Hales 28:43
Okay, so yet a few more things to stay awake nights worrying about?

Kevin Fream 28:52
Well, I’m the market. That’s why you start out with the risk exam, because then you have all that evidence and you have a peace of mind. And you guys say hey, there’s a piece of software that’s actually monitoring this and spit out a report at any time. And some doctors like to go and look at it because they liked data and they like shiny things and seeing the different objects; some don’t and just want to have the peace of mind for that. And that’s what good cybersecurity does because it’s also lowering your cyber liability insurance when you have all these things. Okay,

Cyber Attacks and CyberCrime

Dr. Barbara Hales 29:32
Let’s say I’m the type of doctor that says okay, I’m now your client. And I’m also not interested in checking up every day to see like, what’s going on with that I have the other stuff that I want to do. So, I’m relying on you as me as my boll to should be monitoring that for me. And that if there’s a breach you’ll be able to detect it right away and take care of it or let me know. And so, is that correct? Am I thinking?

Kevin Fream 30:15
I wonder? You know, it’s like when I interviewed Dr. Oz, one of the things that I asked him is, you know, as he was running for Senate is, you know, what do you think? And how do we step up to prevent what Warren Buffett calls the biggest threat than nuclear war, which is cyber terrorism, cyber-attacks and cybercrime? And he, he had an it really interesting answer for me, that I use regularly said, you know, I had dinner with some prominent cybersecurity people, and they said, definitely don’t pay the ransom. And, you know, get prepared right up front.

But the biggest thing he said is 97% of all breaches are from the person who’s at the keyboard, and everybody has to be responsible for their own use on a computer. And that’s exactly right, is I can’t protect you from yourself on the computer because you’re making all the decisions, and you’re pressing all the buttons, but I can help you avoid loss and improve your operations. And yes, we’re looking out if something does happen. But you know, it’s you’re just not off and off the risk scale. And you’re responsible, regardless. And, you know, that’s coming full circle is we’re now seeing CIO of Casaya, for instance, you know, is, or excuse me, the CIO of SolarWinds, is now being federally prosecuted for fraud, for not filling out a risk exam properly. So, it’s a huge deal.

Dr. Barbara Hales 32:09
Well, this has been an absolutely fascinating episode, can you give us two tips that our listeners can implement right away to protect themselves or to see about their system now to show that they are woefully in need of correction?

Kevin Fream 32:36
Well, one tip is if you’re a medical firm with 25 users or more, then we have a free vulnerability scan and penetration tests, it’s usually $10,000, that we’re able to run to be able to protect organizations like that and give them an idea that that will be one thing. And that’s matrixforce.com/cyberrisk. That isn’t for every year so much for every user. It’s called multifactor authentication or two-factor authentication, all it means is password protection. If you’ll go to Security and settings in any app, including all your social media, it needs to be turned on, because generally, password hacks are the biggest way that people are attacked. And still, less than 65% of online accounts have two-factor authentication turned on.

Protect Yourself In The Online World

Dr. Barbara Hales 33:41
Right. Wouldn’t you recommend that any social media not be done in in a medical practice anyway, that if you’re going to be using social media that it should just be home and not have anything to do with the actual practice?

Kevin Fream 33:56
It’s exactly what you definitely need to get with your attorney, and anything should be really vanilla for events and those kinds of things. Because if you expose a patient, an image name, or anything else in social media, then it’s a violation, and you start the whole investigation of what else are you doing.

Dr. Barbara Hales 34:20
Sure. Well, thank you so much for being with us today. We’ve been listening to Kevin Fream, and he has been an absolutely absolutely absolutely fascinating person in cybersecurity his Delta Force and Matrix Force have been really helpful and really fascinating. So, you have been listening to another episode of Marketing Tips for Doctors with your host, Dr. Barbara Hales. Till next time